A C&A reviewer examines the scorecard, validation report, and Plan of Action and Milestones (POA&M) to determine if there are any identifiable vulnerabilities. If there are no vulnerabilities, the CA reviewer may start drafting the certification determination.  If vulnerabilities are identified, the CA reviewer analyzes the severity codes that the validator assigned.  If the CA reviewer does not concur with the severity codes assigned by the validator, the CA reviewer annotates the severity codes and documents the justification for the changes.  The CA reviewer makes an overall risk assessment by considering all vulnerabilities, severity codes, system architecture, the intended environment, mitigation/corrective actions contained in the POA&M, and any modifications to the severity codes that were made.  The overall risk assessment is recorded in the CA detailed assessment.

The CA reviews the C&A package and draft certification recommendation. If the CA does not concur with the certification determination, the C&A package is sent back to the certification or validation team for further analysis or additional justifications are requested.  If the CA concurs with the reviewer’s recommendations, CA signs the certification determination document and creates the Executive C&A package which contains the following documentation:

• System Identification Profile (SIP)

• DIACAP scorecard

• IT Security Plan Of Action and Milestone (POA&M)

• Certification Determination

• Other required documentation and justifications

• This complete package is then provided to the respective Designated Approval Authority (DAA) for final decision.

The accreditation decision balances risk to the GIG, operational need to operate, and cost/time to put corrective measures in place. Until now, most of the focus was at the system or enclave level. However, the DAA takes a GIG and enterprise view when issuing an accreditation decision. The accreditation decision involves one of the following:

• Authority To Operate (ATO) - An ATO accreditation decision must specify an ATD that is within 3 years of the authorization date.

• Interim Authority To Operate (IATO) - An IATO accreditation decision is intended to allow the system to operate (usually due to criticality of need) while IA weaknesses are managed and rectified. An IATO can be issued for no more than 180 days and may be extended if necessary. Concurrent IATO may be granted, but may not exceed a total of 360 days.

• Interim Authority To Test (IATT) - An IATT is a very limited accreditation decision to support testing using operational data in a test environment or test data in the operational environment which mandates de-installation at ATD unless further operation is authorized by the DAA

• Denial Authority To Operate (DATO) - A DATO accreditation decision mandates the removal of a system either permanently or until the risk